If you want to parse PE binaries, go right ahead. If Red Hat wants to deep-throat Microsoft, that's *your* issue. That has nothing what-so-ever to do with the kernel I maintain. It's trivial for you guys to have a signing machine that parses the PE binary, verifies the signatures, and signs the resulting keys with your own key. You already wrote the code, for chrissake, it's in that f*cking pull request.

Why should *I* care? Why should the kernel care about some idiotic "we only sign PE binaries" stupidity? We support X.509, which is the standard for signing.

Do this in user land on a trusted machine. There is zero excuse for doing it in the kernel.

UEFI is a lot of things: Some good, some bad, and some ugly. One of the "ugly" things being its adopted FAR too many of Microsoft conventions (RTC in local time, PE/COFF, even the API looks far too much like the Win32 API - CamelCase, typedefs galore, opaque objects like handles and GUID's, functions that take dozens of arguments at least half of which aren't used)

Because of limitation of UEFI Secure boot (we can't define additional authentication mechanisms, thus for "shim" to work it has to do all the work UEFI does - parse the PE/COFF structures, validate signatures, do relocations as PE/COFF is not position-independent, map it into memory then jump to start point, etc), and Microsoft asinine signing policies (will only sign PE/COFF binaries wrapped in MS Cabinet format) - it seems that the naysayers were right - Secure boot is just another MS lockin tool.

This patch, and other patches floating around (to prevent a signed Linux kernel from being hijacked and used to chain-load Windows malware) - that disable hibernation, kexec and lots of other things (if you want Secure boot to be effective you have to make sure no "untrusted" code runs in supervisor mode) - drive the point home that Secure Boot is a best a feel-good measure, and at worst an MS lockin tool.

UEFI is a lot of things: Some good, some bad, and some ugly. One of the "ugly" things being its adopted FAR too many of Microsoft conventions (RTC in local time, PE/COFF, even the API looks far too much like the Win32 API - CamelCase, typedefs galore, opaque objects like handles and GUID's, functions that take dozens of arguments at least half of which aren't used)

Because of limitation of UEFI Secure boot (we can't define additional authentication mechanisms, thus for "shim" to work it has to do all the work UEFI does - parse the PE/COFF structures, validate signatures, do relocations as PE/COFF is not position-independent, map it into memory then jump to start point, etc), and Microsoft asinine signing policies (will only sign PE/COFF binaries wrapped in MS Cabinet format) - it seems that the naysayers were right - Secure boot is just another MS lockin tool.

This patch, and other patches floating around (to prevent a signed Linux kernel from being hijacked and used to chain-load Windows malware) - that disable hibernation, kexec and lots of other things (if you want Secure boot to be effective you have to make sure no "untrusted" code runs in supervisor mode) - drive the point home that Secure Boot is a best a feel-good measure, and at worst an MS lockin tool.

Linux users should make this hurt where it counts: in the wallet. The Linux community may not have economic clout, but sometimes in the past when Microsoft has done such things (borderline anti-competitive practices), it has actually hurt their reputation with users and caused people to choose other products (Internet Explorer being a case in point, after they shat on Netscape and others). Another example is the office document formats.

At the moment, Microsoft is engaged in a big-time marketing campaign to make themselves "Cool", so they can compete against Apple in the tablet and hand-held space and against Google in the cloud space. A well-coordinated and viral communication effort conveying the message that what they're doing here is "Not Cool" at all, leveraging the "Anonymous" crowd and social media, could force them to the table to agree to a more open standard, perhaps with an independent signing authority. Also, maybe Red Hat should understand they're bending over too easy, and that's Not Cool either. Various governments who wanted to avoid vendor lock-in, in order to fulfill their public obligation to competitive procurement, were the main reason MS caved in on the document formats, so they should be made to understand that this is the same situation. Formal organizations such as The Linux Foundation, EFF, major distributions, can't really engage in such a thing, so I don't know who could make it happen.